CVE-2024-4913 Overview
CVE-2024-4913 is a SQL injection vulnerability in Campcodes Online Examination System 1.0. The flaw resides in exam.php, where the id parameter is passed to a database query without proper sanitization. Remote attackers with low privileges can manipulate the id argument to inject arbitrary SQL statements. The issue is tracked as VDB-264448 and a public exploit has been disclosed, increasing the likelihood of opportunistic abuse against exposed deployments. The vulnerability maps to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can execute arbitrary SQL queries through the id parameter in exam.php, exposing examination data, user credentials, and underlying database contents.
Affected Products
- Campcodes Online Examination System 1.0
- Deployments using the vulnerable exam.php endpoint
- Any installation reachable over the network without input filtering on id
Discovery Timeline
- 2024-05-15 - CVE-2024-4913 published to NVD with public exploit disclosure referenced via VulDB submission #333403
- 2025-02-21 - Last updated in NVD database
Technical Details for CVE-2024-4913
Vulnerability Analysis
The vulnerability exists in the exam.php script of Campcodes Online Examination System 1.0. The script accepts an id request parameter and concatenates it into a SQL query without parameterization or input validation. An attacker submits crafted SQL payloads through the id argument and the database executes the injected statements.
Exploitation requires network access and low-level authentication to the application. No user interaction is needed. A public proof-of-concept is referenced in the GitHub SQL Injection Exploit writeup, which lowers the technical barrier for attackers.
The EPSS probability is 0.194%, reflecting limited observed exploitation activity to date.
Root Cause
The root cause is improper neutralization of special characters in SQL queries [CWE-89]. The application interpolates the user-controlled id value directly into a query string instead of using prepared statements or parameter binding. The absence of input validation, allowlisting, or type enforcement allows SQL metacharacters to break out of the intended query context.
Attack Vector
The attack vector is network-based. An authenticated user issues an HTTP request to exam.php with a malicious id parameter, such as a UNION-based or boolean-based payload. The injected SQL is executed against the backing database. Successful exploitation can expose examination questions, student records, administrator credentials, and other stored data. Depending on database privileges, attackers may also modify records or pivot further into the host.
No verified code examples are available. See the VulDB entry and the linked exploit writeup for technical specifics.
Detection Methods for CVE-2024-4913
Indicators of Compromise
- HTTP requests to /exam.php containing SQL metacharacters in the id parameter such as ', --, UNION SELECT, SLEEP(, or OR 1=1
- Database errors or unusually long response times correlated with requests to exam.php
- Anomalous read volume from the examination database account during normal user sessions
Detection Strategies
- Enable verbose web server access logging and alert on non-numeric values in the id query parameter for exam.php
- Deploy a web application firewall (WAF) with SQL injection signature rules tuned for the application path
- Review database audit logs for unexpected UNION, INFORMATION_SCHEMA, or time-based functions originating from the web tier
Monitoring Recommendations
- Monitor outbound data volume from the database host for signs of bulk extraction
- Track authentication failures and successful low-privilege logins followed by anomalous query patterns
- Alert on new or unfamiliar source IPs interacting with exam.php at high request rates
How to Mitigate CVE-2024-4913
Immediate Actions Required
- Restrict access to the Campcodes Online Examination System to trusted networks or behind a VPN until a fix is applied
- Place a WAF in front of the application with rules blocking SQL injection payloads targeting the id parameter
- Rotate any credentials, session tokens, and database secrets that may have been exposed
- Audit database accounts used by the application and enforce least privilege
Patch Information
No vendor advisory or official patch is referenced in the NVD entry for CVE-2024-4913. Operators should monitor the Campcodes project page for updates and consider migrating off the affected release if no fix becomes available. In the interim, modify exam.php to use parameterized queries or prepared statements, and validate that the id value is strictly numeric before use.
Workarounds
- Replace string concatenation in exam.php with PDO prepared statements or mysqli_stmt_bind_param using typed placeholders
- Enforce server-side input validation to reject non-integer values for the id parameter
- Apply database-layer hardening by limiting the application account to SELECT on required tables only
- Disable verbose database error messages in production to reduce information leakage
# Configuration example: NGINX rule to block non-numeric id values on exam.php
location = /exam.php {
if ($arg_id !~ "^[0-9]+$") {
return 400;
}
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
